GuidesAPI Reference
Guides
Start typing to search…

Authentication

Credit Key’s V2 API uses access tokens for authenticating and authorizing requests. Your system obtains an access token through the authentication flow and includes it in the Authorization header when calling protected endpoints such as Orders, Hosted Checkout, Applications, Payments, Companies, and Webhooks.

This page explains how access-token authentication works and how to apply it to every API request.

Access Token Authentication

Most V2 API operations require a valid Bearer access token.

General pattern:

  1. Your integration performs an authentication flow and receives an access token.
  2. Include the token in each API request: Authorization: Bearer <access_token>
  3. When the token expires, re-authenticate or refresh depending on your implementation.

Access tokens identify the calling integration and determine which operations it is permitted to perform.

Using an Access Token

Once you have an access token, include it on every authenticated request.

Endpoints requiring authentication include:

  • Orders (create, update, capture, refund)
  • Hosted Checkout
  • Applications
  • Companies
  • Webhooks
  • Payments

If the access token is missing or invalid, the API will return 401 Unauthorized or 403 Forbidden.

Token Expiration

Access tokens intentionally expire.

When a token expires:

  • Re-authenticate to obtain a new token or
  • Use your refresh-token flow if supported

Your integration should detect expired tokens and retry after obtaining a new one.

Sending Authenticated Requests

Every authenticated API call must include:

  • Authorization: Bearer <access_token>
  • Any additional headers defined by the endpoint
  • A valid JSON request body when required

Example header pattern:

Authorization: Bearer <access_token>

If an authenticated operation is called without this header, the request will fail.

Security Best Practices

  • Treat access tokens as sensitive – do not expose them client-side unless necessary.
  • Use HTTPS – all API calls should be made over secure TLS connections.
  • Rotate tokens regularly – refresh or re-authenticate on expiry.
  • Follow least-privilege principles – ensure tokens grant only the permissions needed by your integration.

Updated about 1 month ago